Dear readers, please change your Ars account passwords ASAP

For more than two years, the Internet's most popular implementation of the Transport Layer Security (TLS) protocol has contained a critical defect that allowed attackers to pluck passwords, authentication cookies, and other sensitive data out of the private server memory of websites. Ars was among the millions of sites using the OpenSSL library, and that means we too were bitten by this extraordinarily nasty bug.

By mid-morning Tuesday, Ars engineers already updated OpenSSL and revoked and replaced our site's old TLS certificate. That effectively plugged the hole created by the vulnerability. By installing the OpenSSL update, attackers could no longer siphon sensitive data out of our server memory. And although there's no evidence the private encryption key for Ars' previous TLS certificate was compromised, the replacement ensured no one could impersonate the site in the event hackers obtained the key.

With Ars servers fully updated, it's time to turn our attention to the next phase of recovery. In the hours immediately following the public disclosure of the so-called Heartbleed vulnerability, several readers reported their Ars accounts were hijacked by people who exploited the bug and obtained other readers' account passwords. There's no way of knowing if compromises happened earlier than that. Ars has no evidence such hacks did occur, but two years is a long time. There's simply no way of ruling out the possibility.

It's for this reason that Ars strongly recommends all readers change their account passwords. A password change is especially urgent for people who logged in between Monday evening and mid morning on Tuesday. It's also particularly important for anyone who used their Ars password to protect accounts on other sites or anyone whose Ars accounts contained private messages of a sensitive nature. But again, out of an abundance of caution, Ars strongly urges all users to reset their pass codes.

Promoted Comments

I want to thank Ars, both writers and other staff, for their quick and active response. Reading Ars is the first I've heard of the vulnerability, and the first site I've seen take corrective actions. You guys have brought your A game. Thank you.